Skip Navigation

Sonatype Uncovers Millions of Previously Hidden Open Source Vulnerabilities Through Unique Shaded Vulnerability Detection System

   

Discovery underscores the importance of accuracy, prioritization, and effective recommendations so that developers can deliver essential innovations while also building secure, high quality, maintainable software

May 2, 2024 – Fulton, Md. – Sonatype, the software supply chain optimization company, today announced it has identified 336,000 previously undetectable, “Critical” open source vulnerabilities through a new, first-of-its-kind shaded vulnerability detection capability in the Sonatype platform, that revolutionizes the identification of hidden security threats within open source code.

This industry-first data enhancement comes from a novel, Sonatype-created algorithm capable of detecting vulnerabilities in "shaded" open source files—a technique in which original code is repackaged, often making detection by traditional means impossible. Through this technique, Sonatype uncovered a previously hidden layer of risk within the software supply chain, resulting in 4.5 million additional open source vulnerabilities being found, 1.85 million with a “High” risk classification, and 336,000 having a CVSS score of 9.7+, categorized as Critical by the National Vulnerability Database (NVD) and comparable to Log4Shell in severity.

The pace of software innovation is paramount to remaining competitive, but for development teams to work efficiently, they must prioritize where to spend their time. Comprehensive intelligence on vulnerable components provides a holistic picture, improving risk management while eliminating developer waste so teams can focus on innovating at scale.  

Speaking on the announcement, Wayne Jackson, CEO of Sonatype said, "The reality is, 'good enough' is not enough when it comes to securing the open source software that underpins much of the digital world. Bad actors are constantly evolving their methods, and to help our customers stay ahead of them, we must evolve as well. Our commitment is to provide the deepest, most comprehensive insights into open source vulnerabilities, coupled with the tools and automation necessary to boost developer productivity while minimizing security risks."

This announcement is particularly important, given the recent uptick in attacks targeting the software supply chain, such as the malicious code found in the widely-used XZ utility. These recent attacks have shone a harsh light on the need for companies to adopt more sophisticated software supply chain security measures to protect against such vulnerabilities, mitigate risks within the open-source ecosystem, and safeguard organizations from large-scale attacks.

Unlike other tools, the Sonatype platform's design emphasizes comprehensiveness and precision in findings, while virtually eliminating false positives and illuminating false negatives. This ensures that teams focus only on genuine threats at the right time, thereby reducing unnecessary workload and strain on development teams. Equally important, the platform also empowers developers with automated remediation tools, enabling far more efficient and productive vulnerability resolution. 

"While no one wants to see more vulnerabilities discovered in open source, sunshine is, as they say, the best disinfectant. The key here is to prioritize the most critical, exploitable defects and to provide developers with reliable fixes that do not get in the way of innovation,” said Jackson. “We know the pressures on both developers and security teams, which is why our solutions streamline and even automate the remediation process; helping developers resolve the most critical issues while maintaining high levels of efficiency and productivity. This balance is key for driving innovation while safeguarding software integrity."

Amid the growing complexity of software supply chains, Sonatype's innovations offer optimism that developers can continue to develop innovative software, while avoiding additional security-related stress. By merging security with productivity, Sonatype dispels the notion that companies must compromise between the two. This progress highlights the potential for businesses to enhance efficiency and security, making a new era in software development and cybersecurity truly possible.

Attending RSAC? Visit us at booth 4624 in the North Expo to learn more about Shaded Vulnerability Detection and all of Sonatype's unique data advantages. 

About Sonatype 

Sonatype is the software supply chain optimization company. We provide the world’s best software supply chain optimization technology and intelligence, empowering enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world’s largest repository of Java open source software, we are software pioneers and our open source expertise is unmatched. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximize efficiencies, and drive powerful software development. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimize their software supply chains. To learn more about Sonatype, please visit www.sonatype.com.